Robust Fuzzy Extractors and Authenticated Key Agreement from Close Secrets
|
|
- Terence Dorsey
- 5 years ago
- Views:
Transcription
1 Robust Fuzzy Extractors and Authenticated Key Agreement from Close Secrets Yevgeniy Dodis Bhavana Kanukurthi Jonathan Katz Leonid Reyzin Adam Smith Abstract Consider two parties holding samples from correlated distributions W and W, respectively, where these samples are within distance t of each other in some metric space. The parties wish to agree on a close-to-uniformly distributed secret key R by sending a single message over an insecure channel controlled by an all-powerful adversary who may read and modify anything sent over the channel. We consider both the keyless case, where the parties share no additional secret information, and the keyed case, where the parties share a long-term secret SK Ext that they can use to generate a sequence of session keys {R j } using multiple pairs {(W j, W j )}. The former has applications to, e.g., biometric authentication, while the latter arises in, e.g., the bounded-storage model with errors. We show solutions that improve upon previous work in several respects: The best prior solution for the keyless case with no errors (i.e., t = 0) requires the minentropy of W to exceed 2n/3, where n is the bit-length of W. Our solution applies whenever the min-entropy of W exceeds the minimal threshold n/2, and yields a longer key. Previous solutions for the keyless case in the presence of errors (i.e., t > 0) required random oracles. We give the first constructions (for certain metrics) in the standard model. Previous solutions for the keyed case were stateful. We give the first stateless solution. Introduction A number of works have explored the problem of secret-key agreement based on correlated information, by which two parties holding samples w, w of correlated random variables W, W communicate in order to generate a shared, secret, close-to-uniform key R. The problem has variously This is an expanded and corrected version of [5, 23]. It appears in IEEE Transactions on Information Theory (on-line in 202, DOI 0.09/TIT ). Dept. of Computer Science, New York University. dodis@cs.nyu.edu. This research was supported by NSF Grants #033806, #03095, and #0552. Dept. of Computer Science, University of California, Los Angeles. bhavanak@cs.bu.edu. Work done while at Boston University. This research was supported by NSF grants #03485, #05500, #054664, #08328, #0290, and # Dept. of Computer Science, University of Maryland. jkatz@cs.umd.edu. This research was supported by NSF grants #03075, # , and # Dept. of Computer Science, Boston University. reyzin@cs.bu.edu. This research was supported by NSF grants #03485, #05500, #054664, #08328, #0290, and # Computer Science & Engineering Department, Pennsylvania State University. asmith@cse.psu.edu. Work done while at the Weizmann Institute of Science. Supported by the Louis L. and Anita M. Perlman Fellowship.
2 been called information reconciliation (especially when the challenge is to handle differences between the samples held by the parties), privacy amplification (especially in the case when W = W and the goal is to transform a nonuniform shared secret to a uniform one), or fuzzy extraction. Early work [43, 5, 26, 3] assumed the parties could communicate over a public but authenticated channel or, equivalently, assumed a passive adversary. This assumption was relaxed in later work [29, 30, 42, 27, 33], which considered an active adversary who could modify all messages sent between the two parties. The goal of the above works was primarily to explore the possibility of information-theoretic security, especially in the context of quantum cryptography; however, this is not the only motivation. The problem also arises in the context of using noisy data (such as biometric information, or observations of some physical phenomenon) for cryptographic purposes, even if computational security suffices. The same problem also arises in the context of the bounded-storage model (BSM) [28] in the presence of errors [4, 7]. We discuss each of these in turn.. Authentication Using Noisy Data In the case of authentication/key agreement using noisy data, the random variables W, W are close (with respect to some metric) but not identical. For simplicity, we assume the noisy data represents biometric information, though the same techniques apply to more general settings. In this context, two different scenarios have been considered: Secure authentication : Here, a trusted server stores some biometric data w of a user, obtained during an initial enrollment. Later, when the user and the server want to establish a secure communication session over an insecure channel, the user locally obtains a fresh biometric scan w which is close, but not identical, to w. The user and the server then use w and w to authenticate each other and agree on a key R. Key recovery : In this scenario, a user utilizes his biometric data w to generate a random key R along with some public information P, and then stores P on a (possibly untrusted) server. The key R is then used, for example, to encrypt some data for long-term storage. At a later point in time, the user obtains a fresh biometric scan w along with the value P from the server; together, these values enable the user to recover R (and hence decrypt the encrypted data). In the second setting the user is, in effect, running a key agreement protocol with himself at two points in time, with the (untrusted) server acting as the communication channel between these two instances of the user. This second scenario inherently requires a noninteractive (i.e., one-message) solution since w is no longer available at the later point in time. Note also that any solution for the second scenario also provides a solution for the first. Several protocols for key agreement using noisy data over an authenticated channel are known [5, 3, 22, 20, 6]. Most of the existing work for an unauthenticated channel, however, solves the problem only for two special cases [29, 30, 42, 27, 33]: () when W = W, or (2) when W and W consist of (arbitrarily many) independent realizations of the same random variable; i.e., W = (W (), W (2),...) and W = (W (), W (2),...). In the case of biometric data, however, W, W are not likely to be equal and we cannot in general obtain an unbounded number of samples. Recently, there has been progress on the general case. Renner and Wolf [34] were the first to demonstrate that an interactive solution is possible. Their protocol was not efficient, but an efficient version was later given [24]. Boyen [8] showed (in the random oracle model) how to achieve unidirectional authentication, as well as a weak form of security for the second scenario (roughly, 2
3 R remains secret but the user can be fooled into using an incorrect key R ). Boyen et al. [9] showed two solutions to the problem. Their first solution is noninteractive and thus applies to both scenarios above, but relies on random oracles. Their second solution is interactive, and relies on password-based key exchange as a primitive. This means that it provides computational rather than information-theoretic security; furthermore, given the current state-of-the-art for password-based key exchange, their solution is impractical without additional assumptions such as random oracles or the existence of public parameters..2 The Bounded-Storage Model and the Keyed Case Key agreement using correlated information arises also in the context of the bounded-storage model (BSM) [28] in the presence of errors [4, 7]. In the BSM, two parties share a long-term secret key SK BSM. In each time period j, a long random string Z j is broadcast to the parties (and the adversary); the assumption is that the length of Z j is more than what the adversary can store. The parties use SK BSM and Z j to generate a secret session key R j in each period. This process should achieve everlasting security [], meaning that even if SK BSM is revealed to the adversary in some time period n, all session keys {R j } j<n remain independently and uniformly distributed from the perspective of the adversary. A paradigm (formalized by [39]) for achieving the above is for SK BSM to contain a seed SK Sam for a sampler and another seed SK Ext for a randomness extractor. The parties use SK Sam to sample some portion of Z j in each period; in the absence of errors, this results in each party holding the same value w j. Since the adversary may have some partial information about w j, however, this shared value is not uniformly distributed from the point of view of the adversary, and the parties must therefore use a randomness extractor with the seed SK Ext to generate a uniform key R j for the current period. In the presence of transmission errors in Z j the problem is even more difficult, as the parties then hold correlated (but possibly unequal) strings w j, w j after the initial sampling. The parallels to biometric authentication should be clear. Nevertheless, the problems are incomparable: in the case of the BSM with errors there is a stronger setup assumption (namely, that the parties share a long-term key SK BSM ) but the security requirements are more stringent since SK BSM needs to be reusable and everlasting security is required..3 Our Contributions We focus on the abstract problem of secret-key agreement between two parties holding instances w, w of correlated random variables W, W that are guaranteed to be close but not necessarily identical. Specifically, we assume that w and w are within distance t in some underlying metric space. Our definitions as well as some of our results hold for arbitrary metric spaces, while other results assume specific metrics. We restrict our attention to noninteractive protocols defined by procedures (Gen, Rep) that operate as follows. The first party, holding w, computes (R, P ) Gen(w) and sends P to the second party; this second party computes R Rep(w, P ). (If the parties share a long-term key SK Ext then Gen, Rep take this key as additional input.) The basic requirements, informally, are Correctness: R = R whenever w is within distance t of w. A sampler [2] is a function that maps SK Sam to a set of bit positions. In fact, SK Sam may simply encode a set of randomly chosen bit positions, but better samplers using shorter seeds are available. 3
4 Security: If the min-entropy of W is high, then R is uniformly distributed even given P. So far, this gives exactly a fuzzy extractor as defined by Dodis et al. [6] (although we additionally allow the possibility of a long-term key). Since we are interested in the case when the parties communicate over an unauthenticated channel, however, we actually want to construct robust fuzzy extractors [9] that additionally protect against malicious modification of P. Robustness requires that if the adversary sends any modified value P P, then with high probability the second player will reject (i.e., Rep(w, P ) = ). We distinguish between the notion of pre-application robustness and the stronger notion of post-application robustness, where in the latter case the adversary is given R before it generates P. Post-application robustness is needed in settings where the first party may begin using R before the second party computes R, and is also needed for the key recovery scenario discussed earlier (since previous usage of R may leak information about it). We now summarize our results: The case of no errors. Although our focus is on the case when W, W are unequal, we obtain improvements also in the case when they are equal (i.e., t = 0) but nonuniform. Let m denote the min-entropy of W and let n m denote its bit-length. The best previous noninteractive solution in this setting is due to Maurer and Wolf [27] who show that when m > 2n/3 it is possible to achieve pre-application robustness and generate a shared key R of length m 2n/3. On the other hand, results of [8, 9] imply that a non-interactive solution is impossible when m n/2. (As shown in [27, Section III-C], interactive solutions can do better; in fact, it is possible for the length of R to be nearly m [33, 9, ].) We bridge the gap between known upper- and lower-bounds and show that whenever m > n/2 it is possible to achieve pre-application robustness and generate a shared key R of length 2m n. This improves both the required min-entropy of W and the length of the resulting key. Moreover, we give the first solution satisfying post-application robustness. That solution also works as long as m > n/2, but extracts a key half as long (that is, of length m n/2). Handling errors. The only previously known construction of robust fuzzy extractors [9] relies on the random oracle model. We (partially) resolve the main open question of [9] by showing a construction of robust fuzzy extractors in the standard model for the specific cases of the Hamming and set-difference metrics. 2 (The solution in [9] is generic and applies to any metric admitting a good error-correcting code.) Our construction achieves post-application robustness. The techniques of this paper were subsequently generalized in [2]. Using a shared long-term key. There are scenarios in which the two parties trying to derive R from w and w already share a long-term secret key. Motivated by such settings, we define and construct a keyed robust fuzzy extractor for general metrics. In the process, we introduce a new primitive called an extractor-mac : a one-time information-theoretic message authentication code whose output is independent of the key if the message has sufficient entropy. Application to the BSM with errors. Prior work focusing on the BSM with errors [4, 7] showed a noninteractive (i.e., single-message) solution to the problem discussed in Section.2 when the samples w j, w j of the parties have constant relative Hamming distance. The solution of [4] is stateful: the long-term key SK BSM is updated by both parties after each time period using information derived from Z j. If a party misses a time period and is no longer synchronized with 2 A previous version of this work [5] contained an erroneous claim of a construction for edit distance, which proceeded by embedding edit distance into set difference using shingling (see [6]). That construction does not work, however, because the embedding fails to preserve the requirement that m > n/2. 4
5 the other party, it is not clear how to recover. The solution of [7] is stateless; the parties keep the same long-term key SK BSM and can communicate even if one of them misses some Z j. However, this solution assumes the parties can communicate over an authenticated channel. Building on keyed robust fuzzy extractors, we show a stateless solution for the BSM with errors (under the Hamming metric) using an unauthenticated channel. 2 Definitions and Preliminaries For strings a and b, we use a b to denote their concatenation and let a denote the length of a. If S is a set, x S means that x is chosen uniformly from S. If X is a probability distribution, then x X means that x is chosen according to X. The notation Pr X [x] denotes the probability assigned by X to the value x. (We often omit the subscript when the probability distribution is clear from context.) If A is a probabilistic algorithm and x is an input, A(x; ω) denotes the output of A running with random coins ω, and A(x) is the random variable A(x; ω) for uniformly sampled ω. If X is a distribution, then A(X) is the random variable obtained by sampling x X and then running A(x). We let U l denote the uniform distribution over {0, } l. All logarithms are base 2. Let X, X 2 be two probability distributions over some set S. Their statistical distance is s S Pr X [s] Pr X2 [s]. If two distributions have statistical distance at most ε, SD (X, X 2 ) def = 2 we say they are ε-close and write X ε X 2. Note that ε-close distributions cannot be distinguished with advantage better than ε by an adversary who gets a single sample, even if the adversary is computationally unbounded. The min-entropy of a random variable X is defined as H (X) = log(max x Pr X [x]). Following [6], we define the (average) conditional min-entropy of X given Y as H (X Y ) = log H (X Y (E y Y (2 =y))) (where the expectation is over y for which Pr[Y = y] is nonzero). This definition is suited for cryptographic purposes because the probability that an adversary can predict X when given the value of Y is 2 H (X Y ). Lemma ([6, Lemma 2.2]) Let Y have at most 2 λ elements in its support. Then H (X Y ) H (X, Y ) λ. (More generally, H (X Y, Z) H (X, Y Z) λ.) 2. Hash Functions and Extractors We recall the notion of almost-universal hashing [0, 36]. Definition A family of efficient functions H = { h i : {0, } n {0, } l} is δ-almost universal i I if for all x x we have Pr i I [h i (x) = h i (x )] δ. Families with δ = 2 l are called universal. A simple universal family [36, Theorem 5.2] can be constructed by identifying I and {0, } n with GF (2 n ) in the natural way, and defining h i (x) as the high-order l bits of i x. Extractors [3] yield a (close to) uniform string from a random variable with high min-entropy, using a uniform seed i. Strong extractors guarantee that the extracted string is uniform even conditioned on the seed. We consider only strong extractors in this paper, and thus often omit the qualifier strong. 5
6 Definition 2 Let I be a set and the uniform distribution over that set. A function Ext : {0, } n I {0, } l is a strong (m, -extractor if for all distributions X over {0, } n with H (X) m we have SD ((Ext(X; I), I), (U l I)) ε. We refer to the second argument to Ext as the seed. We need to strengthen the above definition to account for external information E an adversary knows that may be correlated with X. To do so, we generalize the min-entropy constraint on X to average min-entropy, and require the extracted string to be uniform even given E. Namely, we require that for any X, E such that H (X E) m we have SD ((Ext(X; I), I, E), (U l I E)) ε. Such extractors are called average-case extractors. Note that any (m log (, ε )-extractor is an (m, ε + ε )-average-case extractor, because Pr e E [H (X e) m log ( ] ε by Markov s inequality; Vahdan [40] proves the stronger statement that any (m, -extractor for m n is also an (m, 3-average-case extractor. However, the additional loss is not always necessary. Indeed, the Leftover Hash Lemma generalizes without any loss to the average-case setting. (Multiple versions of this lemma have appeared; we use the formulation of [37, Theorem 8.], augmented by [6, Lemma 2.4] for the average case; see [2] and references therein for earlier formulations.) Lemma 2 (Leftover Hash Lemma) Fix l, m, ε > 0. If H = {h i : {0, } n {0, } l } i I is a (2 l ( + 4ε 2 ) 2 m )-almost universal family, then H is a strong (m, -average-case extractor (where the index of the hash function is the seed to the extractor). In particular, if H is universal and l m log (, then H is a strong (m, -average-case extractor. The above holds even when H depends on E, i.e., when H = {H e } e E is a collection of almostuniversal families, one for each value of the external information E. 2.2 One-Time Message Authentication Codes An (information-theoretic) one-time message authentication code (MAC) consists of polynomialtime algorithms (Mac, Vrfy). The first algorithm takes a key SK and a message M {0, } n and outputs a tag t; we write this as t = Mac SK (M). The verification algorithm Vrfy takes as input a key SK, a message M {0, } n, and a tag t, and outputs either or 0, with the former being interpreted as acceptance and the latter as rejection. Correctness requires that for all SK and all M {0, } n, we have Vrfy SK (M, Mac SK (M)) =. Security requires that when SK is chosen uniformly, an unbounded adversary cannot output a valid tag on a new message even after being given the tag on any message of its choice. Formally: Definition 3 Message authentication code (Mac, Vrfy) is a δ-secure one-time MAC if for any adversary A and any message M, the probability that the following experiment outputs success is at most δ: Choose uniform key SK; let t = Mac SK (M); let (M, t ) A(t); output success if M M and Vrfy SK (M, t ) =. We next recall the notion of (almost) strongly universal hashing [4, 36]. Definition 4 A family of efficient functions H = { h i : {0, } n {0, } l} is δ-almost strongly i I universal if for all x x, y, y it holds that: (a) Pr i I [h i (x) = y] = 2 l and (b) Pr i I [h i (x) = y h i (x ) = y ] δ2 l. Families with δ = 2 l are called strongly universal or pairwise independent. A strongly universal family [36, Theorem 5.2] is obtained by identifying {0, } n with GF 2 n, letting I = GF (2 n ) {0, } l, and defining h a,b (x) as the high-order l bits of (a x) b. 6
7 An almost strongly universal hash family can be used for information-theoretic authentication of a message M using a secret key i, by letting the tag be t = h i (M). The property of being δ-almost strongly universal implies that this is a δ-secure one-time MAC. 2.3 Secure Sketches and Fuzzy Extractors We review the definitions of secure sketches and fuzzy extractors from [6]. Let M be a metric space with distance function dis. Informally, a secure sketch enables recovery of a string w M from any close string w M, without leaking too much information about w. Definition 5 An (m, m, t)-secure sketch for M is a pair of efficient randomized algorithms (SS, SRec) such that:. The sketching procedure SS takes an input w M and outputs a string s {0, }. The recovery procedure SRec takes as inputs an element w M and a string s {0, }, and returns an element of M. 2. Correctness: If dis(w, w ) t then SRec(w, SS(w)) = w. 3. Security: For any distribution W over M with H (W ) m, we have H (W SS(W )) m. The quantity m m is called the entropy loss of the secure sketch. For the case of the Hamming metric on M = {0, } n, we will make use of the syndrome construction from [6] (this construction also appeared as a component of earlier work, e.g., [4]). Here the sketch s = SS(w) consists of the k-bit syndrome 3 of w with respect to some (efficiently decodable) [n, n k, 2t + ]-error-correcting code. We do not need any details of this construction other than the facts that s is a (deterministic) linear function of w and that the entropy loss is at most s = k. We also note that this construction can be extended to the set-difference metric [6]. As opposed to a secure sketch, whose goal is to recover the original input, a fuzzy extractor enables generation of a close-to-uniform string R from w, and subsequent reproduction of R from any w close to w. Definition 6 An (m, l, t, -fuzzy extractor for M is a pair of efficient randomized algorithms (Gen, Rep) such that:. The generation procedure Gen takes input w M and outputs an extracted string R {0, } l and a helper string P {0, }. The reproduction procedure Rep takes as inputs an element w M and a string P {0, }, and returns a string in {0, } l. 2. Correctness: If dis(w, w ) t and (R, P ) is output by Gen(w), then Rep(w, P ) = R. 3. Security: For any distribution W over M with min-entropy m, the string R is close to uniform conditioned on P. I.e., if H (W ) m and (R, P ) Gen(W ), then SD ((R, P ), (U l P )) ε. 3 If H is the parity matrix for a linear code C (i.e., c C iff ch T = 0), then the syndrome of a vector w is wh T. 7
8 Composing an (m, m, t)-secure sketch with an average-case ( m, -extractor Ext: M I {0, } l yields a (m, l, t, -fuzzy extractor with P = (SS(w), i) and R = Ext(w; i) (see [6, Lemma 4.]). Just as with ordinary extractors, a more general definition of fuzzy extractors accounts for external information E and requires that for any W, E with H (W E) m it holds that SD ((R, P, E), U l (P, E)) ε. A fuzzy extractor satisfying this definition is called an averagecase fuzzy extractor, and all known constructions satisfy this more general definition. In this work we will also use keyed fuzzy extractors where both Gen and Rep use the same key SK Ext, which is uniform and independent of the input distribution W. Here we require the additional security property that SK Ext, R are independently uniform conditioned on P. This stronger requirement stems from the fact that SK Ext needs to be reusable; thus, it should remain uniform and independent of P, R in order to be useful next time. This requirement implies (by a hybrid argument) that keyed fuzzy extractors can be used multiple times (with the same key SK Ext ) to extract independent keys {R j } from independent {W j }. It also implies that any extracted key R j remains uniform even to an adversary who learns SK Ext and P j (but not w j ). Definition 7 An (m, l, t, -keyed fuzzy extractor for M is a pair of efficient randomized algorithms (Gen, Rep) such that:. Algorithm Gen, on input a key SK Ext and w M, outputs R {0, } l and P {0, } ; we denote this by (R, P ) Gen SKExt (w). Algorithm Rep takes as input a key SK Ext, an element w M, and a string P {0, }, and returns a string in {0, } l ; we denote this by R Rep SKExt (w, P ). 2. Correctness: For any key SK Ext, if dis(w, w ) t and (R, P ) is output by Gen SKExt (w), then it holds that Rep SKExt (w, P ) = R. 3. Security: If SK Ext is uniform, the distribution W over M is such that H (W ) m, and (R, P ) Gen SKExt (W ), then SD ( SK Ext (R, P ), U SKExt U l P ) ε. For some applications we need to impose the additional condition that, informally, P not reveal any information about the distribution W. Formally, the distribution P should be the same regardless of the distribution W, as long as W has sufficient min-entropy. It is easiest, though slightly more restrictive than necessary, to simply require P to be uniform (for any W with sufficient min-entropy). That is, we say that (Gen, Rep) has uniform helper strings if the security condition is strengthened to require SD ( SK Ext (R, P ), U SKExt U l U P ) ε. This additional security condition was subsequently explored in the setting of interactive key agreement [7]. This additional requirement may seem strange: after all, security of a fuzzy extractor depends not on secrecy of the distribution W, but only on the fact that W has high min-entropy, which ensures that the specific sample w is secret. However, there are applications that need the distribution W to be kept secret, and the public output of the fuzzy extractor can harm them if this requirement is not satisfied. The specific application considered in this paper is to the bounded-storage model (introduced in Section.2 and addressed in detail in Section 4.3). In this application, the input distribution to the fuzzy extractor depends on the sampling seed SK Sam, which needs to remain secret so that it can be reused. 8
9 2.4 Robust Fuzzy Extractors Fuzzy extractors protect against a passive attack in which an adversary observes P and tries to learn something about the extracted key R. However, the definition says nothing about what happens if an adversary can modify P as it is sent to the user holding w. That is, there are no guarantees about the output of Rep(w, P ) for P P. Boyen et al. [9] propose the notion of robust fuzzy extractors, which provide strong guarantees against such an attack. Specifically, Rep can now output either a key or a special value (denoting fail ). The definition requires that with high probability any value P P produced by the adversary (after being given P ) causes Rep(w, P ) to output. Modified versions of the public information P will therefore be detected. We consider two variants of this idea, depending on whether Gen and Rep additionally share a long-term key SK Ext. (Boyen et al. considered only the keyless version.) Furthermore, we distinguish between two adversarial attacks, and thus two notions of robustness, depending on whether the adversary has access to R when modifying P. Indeed, if R is used (e.g., for encryption) and the adversary can observe some effect of this use (e.g., the ciphertext) before modifying P, then the notion of robustness from Boyen et al. (in which the adversary is given no information about R) is insufficient. Our stronger notion accounts for this by giving the adversary access to R in addition to P. This is a conservative choice that results in a broadly applicable definition: security holds regardless of how R is used and whether it remains hidden partially, computationally, or not at all. We call this stronger notion post-application robustness, and refer to the original notion (where R is not given to the adversary) as pre-application robustness. Pre-application robustness suffices if the adversary s ability to modify P ends prior to any observable use of R. If W, W are two (correlated) random variables over a metric space M, we say dis(w, W ) t if the distance between W and W is at most t with probability one. We call (W, W ) a (t, m)-pair if dis(w, W ) t and H (W ) m. Definition 8 An (m, l, t, -fuzzy extractor has post-application (resp., pre-application) robustness δ if for all (t, m)-pairs (W, W ) and all adversaries A, the probability that the following experiment outputs success is at most δ: Sample (w, w ) from (W, W ); let (R, P ) Gen(w); let P A(R, P ) (resp., P A(P )); output success if P P and Rep(w, P ). The definition is illustrated in Figure. Note that the definition is interesting even when w = w (i.e., when t = 0), because ordinary extractors are not usually robust. We construct (keyless) robust fuzzy extractors in Section 3, and keyed robust fuzzy extractors in Section 4. The definition of robust extractors composes with itself in some situations. For example, a generalization of the above (used in [9]) allows the adversary to output ( P,..., P j ); the adversary succeeds if there exists an i with Rep(w, P i ). A simple union bound shows that the success probability of an adversary in this case increases at most linearly in j. Similarly, suppose two players (Alice and Bob) receive a sequence of pairs of random variables (W, W ), (W 2, W 2 ),..., (W j, W j ) (with Alice receiving the {W i} and Bob receiving the {W i }), such that dis(w i, W i ) t for all i, and the entropy of W i conditioned on the information {(W k, W k )} k<i from prior time periods is at least m. Alice and Bob can agree on random and independent keys R,..., R j by having Alice apply Gen from a robust average-case fuzzy extractor to each W i and then send P i to Bob. The attacker s advantage in distinguishing the vector of unknown keys from random is at most jε (this follows by a hybrid argument that replaces extracted keys by random strings one a time, starting with the most recent one). The attacker s probability of forging a 9
10 w SK Ext (a) w! P P ~ Gen A Rep R (b) R or! Figure : Robust extractors (cf. Definition 8). Dashed lines indicate variations in the definition: (a) Keyed extractors take an additional input SK Ext shared by Gen and Rep. (b) For pre-application robustness, the adversary does not have access to the extracted key R. valid P i is at most δ in any given period i (this can be shown by simply giving the attacker (W, W ),..., (W i, W i )); thus, the overall probability of forgery over all time periods is at most jδ. For keyed fuzzy extractors, robustness is defined exactly as in Definition 8 with the only difference being that Gen and Rep both use the same (uniform) key SK Ext (which is not given to the adversary); see Figure. At first glance, the addition of a long-term key may seem to trivialize the problem of constructing robust fuzzy extractors. For example, one might attempt to use SK Ext as a key for a message authentication code and, given output (R, P ) from a fuzzy extractor, simply append to P the tag Mac SKExt (P ). While this may work in the computational setting, it will not suffice in the information-theoretic setting if we want to support an unbounded number of time periods (or if we want to use a key SK Ext whose length does not grow linearly in the number of time periods supported). Furthermore, such a construction will not satisfy the security property of Definition 7 because SK Ext will not be uniform conditioned on P and Mac SKExt (P ). 3 Constructing (Keyless) Robust Fuzzy Extractors We begin by analyzing the case of no errors (i.e., t = 0), and then consider the more general case. 3. The Errorless Case (w = w ) Consider the case where M = {0, } n and Alice and Bob hold the same sample w {0, } n of a random variable W. In the presence of a passive adversary, Alice and Bob can agree on a uniform key using a strong extractor Ext. Phrased using the terminology of fuzzy extractors (with t = 0 here), Alice runs Gen(w) which simply samples a seed P for Ext, and sends P to Bob; both Alice and Bob then output the key R = Rep(w, P ) = Ext(w, P ). This solution does not work if the adversary is active, which is why robust fuzzy extractors are interesting even in the errorless case. In particular, if an adversary forwards P P to Bob then there is no longer any guarantee on Bob s output Ext(w; P ); in fact, it is easy to show a construction of a strong extractor Ext with the property that a maliciously generated P completely determines Bob s key R = Ext(w; P ). One idea to address this is for Alice to authenticate P using the key R she extracts, and then send the authentication tag along with P to Bob. In general this does not work either: if the adversary forwards P P to Bob, then it may be easy for the adversary to generate a forged tag with respect 0
11 n v bits a v bits b i X v R [ia] n-2v bits v bits + σ Figure 2: Construction for the errorless case. to the key R that Bob derives. Instead, we use w itself to authenticate P and show that this approach works for a particular choice of strong extractor and message authentication code. We define algorithms Gen, Rep as follows. To compute Gen(w), parse w as two strings a and b of lengths n v and v, respectively, where v < n/2 is a parameter of the construction. View a as an element of GF 2 n v and b as an element of GF 2 v (the representation of field elements does not matter, as long as addition in the field corresponds to exclusive-or of bit strings). Choose random i GF 2 n v, let [ia] n v v+ denote the most significant n 2v bits of ia GF 2 n v, and let [ia]v denote the remaining v bits of ia. View [ia] v as an element of GF 2 v. Then compute σ = [ia]v + b, set P = (i, σ), and let the extracted key be R = [ia] v+ n v. See Figure 2. Rep(w, P ), where P = (i, σ ), proceeds as follows. Parse w as two strings a and b as above. Then verify that σ = [i a] v + b and output if this is not the case. Otherwise, compute the extracted key R = [i a] n v v+. The following theorem states the parameters for which (Gen, Rep) is a robust fuzzy extractor. (Since t = 0 here, the metric over {0, } n is irrelevant.) Observe that extraction is possible as long as H (W ) def = m > n/2, and in the case of pre-application robustness (which is the notion considered in [27]) we extract a key of length roughly 2m n. This improves on the result of Maurer and Wolf [27] who require m > 2n/3 and extract a key of length roughly m 2n/3. Theorem 3 Fix v, and let l = n 2v be the length of the extracted key. Then: For any ε, δ satisfying l 2m n max { 2 log ( δ ), 4 log ( }, (Gen, Rep) is an (m, l, 0, -fuzzy extractor with pre-application robustness δ. For any ε, δ satisfying { ( 2m n 2 log δ l min 3 ), 2m n 4 log ( }, (Gen, Rep) is an (m, l, 0, -fuzzy extractor with post-application robustness δ. Proof We show that R {0, } l is close to uniform conditioned on P, and then argue robustness.
12 Extraction. We begin by showing that H = {h i : h i (a, b) def = (σ, R)} is a universal hash family. Indeed, for (a, b) (a, b ) we have [ Pr i [h i (a, b) = h i (a, b )] = Pr i [ia] v [ia ] v = b b [ia] v+ n v = [ia ] v+ n v This is equivalent to Pr i [ i(a a ) = 0 n 2v (b b) ], where denotes concatenation (this is because we insisted that addition/subtraction in the finite fields corresponds to bitwise exclusive-or). If a = a then we must have b b and so the probability is 0. If a a, then there is a unique i that satisfies the equality. Thus, the probability is at most / GF 2 n v = 2 v n. Using the above and the leftover hash lemma (Lemma 2) we see that (R, P ) = (R, (i, σ)) is 2 ((l+v) m 2)/2 ε/2-close to (U l U n v U v ) or, put differently, that SD ((R, P ), U l U n ) ɛ/2. This implies SD ((R, P ), U l P ) ɛ using the triangle inequality. Pre-application robustness. We prove the stronger result that robustness holds for worst-case choice of i. Fix i and A, and let Succ be the event that A succeeds. Since A is unbounded, we may assume it is deterministic. Upon observing σ, the adversary outputs A(σ) = (i, σ ) (i, σ). If i = i, then Rep will reject unless σ = σ; therefore, we need only consider the case i i. By definition, A succeeds only if σ = [i a] v + b. Call a triple (σ, i, σ ) a transcript, and say it is possible if A(σ) = (i, σ ). For any possible transcript tr = (σ, i, σ ) the following holds (in the probability expressions below, a b are chosen according to the distribution W conditioned on tr or, equivalently, conditioned on σ): Pr[Succ tr] = Pr a b [ [ia] v + b = σ [i a] v + b = σ ] [ = Pr a b [ia] v [i a] v = σ σ b = σ [ia] v ] = Pr a b [ [(i i )a] v = σ σ b = σ [ia] v ], where the final equality holds because we insisted that addition/subtraction in our fields corresponds to bitwise exclusive-or. The term (i i ) a takes on each possible value in GF 2 n v exactly once as a varies; therefore, there are 2 n v /2 σ = 2 n 2v values of a for which [a(i i )] v = σ σ. For each such value of a, there is a unique value of b that satisfies b = σ [ia] v. Each (a, b) pair occurs with probability at most 2 H (W σ). Thus, Pr[Succ tr] 2 n 2v 2 H (W σ). The overall success probability of A is given by E tr [Pr[Succ tr]] 2 n 2v E tr [ 2 H (W σ) ] = 2 n 2v 2 H (W σ). Since σ = v, we have H (W σ) m v and we conclude that Pr[Succ] 2 n v m δ. Post-application robustness. Because R = l, providing R to the adversary can increase its success probability by a multiplicative factor of at most 2 l as compared to pre-application robustness. 4 Thus, if 3l 2m n 2 log ( ) δ the adversary s success probability (in the postapplication robustness game) is at most 2 l 2 n v m = 2 l 2 (n+l 2m)/2 δ. 4 One might hope to improve this analysis, but we show in Appendix A that the analysis here is essentially tight. ]. 2
13 3.. Improved Post-Application Robustness In this section, we present a construction of an extractor with post-application robustness that extracts a key of length m n/2 log ( ) δ, an improvement by a factor of 3/2 as compared to the construction given above. Assume n is even for simplicity. To compute Gen(w), let a and b denote the first and last halves of w, respectively, and view a and b as elements of GF 2 n/2. Choose a random i GF 2 n/2 and compute y = ia + b. Let σ be the first v bits of y, where v < n/2 is a parameter of the scheme, and let R be the remainder of y; i.e., σ = [y] v and R = [y]n/2 v+. Output P = (i, σ). Rep(w, P ), where P = (i, σ ), proceeds in the obvious way: Parse w as two strings a, b as above. Then verify that σ = [i a + b] v and output if this is not the case. Otherwise, compute the extracted key R = [i a + b] n/2 v+. Before giving the formal proof, we provide some intuition as to why this construction has better post-application robustness. Recall that in the previous construction w is parsed as two strings a and b of lengths n v and v, respectively, and the values σ, R are computed as σ = [ia] v + b and R = [ia] n v v+. Increasing v improves robustness but decreases the number of extracted bits. For pre-application robustness, setting v = n m + log ( ) δ suffices, and thus the construction extracts nearly (2m n) bits. For post-application robustness, however, a larger v must be used and consequently the number of extracted bits is decreased. The post-application robustness game reveals more information to the adversary A about w than the pre-application robustness game. This additional information namely, R itself may make it easier for A to guess σ. The key to our improvement is to use the pairwise-independent function h i (a, b) = ia + b to compute both σ and R. Because of pairwise independence, the value (σ, R) of h i (a, b) leaks nothing about the value (σ, R ) = h i (a, b) for any i i. (This holds when (a, b) is uniform; when (a, b) has min-entropy m, then A may have up to n m bits of information about σ.) In contrast, in the previous construction only σ was computed using a pairwise-independent hash function. This works better for pre-application robustness (because b can be taken shorter), but worse for post-application robustness. Theorem 4 Fix v, and let l = n/2 v be the length of the extracted key. satisfying Then for any ε, δ l m n/2 log δ m n/2 + 2 log ε, (Gen, Rep) is an (m, l, 0, -fuzzy extractor with post-application robustness δ. Proof We first show that R {0, } l is nearly uniform given P. The proof proceeds along the lines of the analogous proof for Theorem 3. As before, we begin by showing that H = {h i : h i (a, b) = (σ, R)} is universal. Indeed, for (a, b) (a, b ) we have Pr i [h i (a, b) = h i (a, b )] = Pr i [ia + b = ia + b ] = Pr i [i(a a ) = (b b )],. If a = a then b b and so Pr i [i(a a ) = (b b )] = 0. If a a, then there is a unique i for which i(a a ) = (b b ), and so Pr i [i(a a ) = (b b )] = 2 n/2. 3
14 The above and Lemma 2 imply that (i, R, σ) is 2 (n/2 m)/2 -close to U n/2 U l U v. As in the previous proof, and recalling that P = (i, σ), this means that SD ((R, P ), U l P ) 2 (n/2 m)/2 ɛ. Post-application robustness. As in the previous proof, we prove that robustness holds for worstcase choice of i. Fix i and A, and let Succ be the event that A succeeds. Since A is unbounded, we may assume it is deterministic. Thus, upon observing σ, R the adversary outputs (i, σ ) (i, σ); the adversary succeeds if [i a + b] v = σ. Note that if i = i then Rep will reject unless σ = σ; therefore, we need only consider the case i i. We now let a transcript be a tuple tr = (σ, R, i, σ ), and say it is possible if A(σ, R) = (i, σ ). For any possible transcript tr = (σ, R, i, σ ) we have the following (in the probability expressions below, a b are chosen according to the distribution W conditioned on tr or, equivalently, conditioned on σ): [( ) ( Pr[Succ tr] = Pr a b ia + b = σ R [i a + b] v [( ) = σ )] ( = ia + b = σ R i a + b = σ R )]. R {0,} l Pr a b For any fixed R, there is a unique value (a, b) for which ia + b = σ R and i a + b = σ R. Each (a, b) pair occurs with probability at most 2 H (W σ,r). We thus see that Pr[Succ tr] 2 l 2 H (W σ,r). The overall success probability of A is given by E tr [Pr[Succ tr]] 2 l 2 H (W σ,r). Since σ + R = n/2, we have H (W σ, R) m n/2 and so Pr[Succ] 2 l m+n/2 δ Authenticating a Message While Extracting Each of the constructions given previously uses the parties input w to authenticate the extractor seed i. Each construction can be extended to additionally authenticate a message M, i.e., to be simultaneously a robust fuzzy extractor and an information-theoretic one-time MAC. In this setting, both Gen and Rep will take an additional input M, and it should be difficult for an adversary to cause Rep to accept a different M. (We are being informal here since this is merely a stepping stone to the results of the following section.) This could be done naively by using (a part of) R as a key for a MAC, but this would correspondingly reduce the final number of extracted bits. In contrast, the approach presented here (almost) does not reduce the length of R at all. We show how to extend the original construction given at the beginning of Section 3.; the construction of Section 3.. can be extended similarly. We adapt a standard technique [6, 3, 38] for authenticating messages using polynomial-based almost-universal hash functions. Let M = L (n v), where L is known to both parties in advance. Split M into L chunks M 0,..., M L, each n v bits long, and view these as coefficients of a polynomial M(x) GF 2 n v[x] of degree L. To compute Gen(w, M), parse w as a b, choose random i GF 2 n v, compute σ = [a 2 M(a) + ia] v + b, and set P = (i, σ). As before, the extracted key is R = [ia] v+ n v. The procedure Rep, given w, M, and P = (i, σ ), verifies that M = L (n v) and that σ = [a 2 M (a) + i a] v + b. If so, it accepts M as valid and additionally outputs R = [i a] v+ n v. 4
15 Extraction and robustness (which here means that neither i nor M can be modified without detection) are proved in a manner very similar to the proof of Theorem 3. Fix arbitrary M, known to the adversary. To argue that R is nearly uniform given P = (i, σ), we will show that H = {h i : h i (a, b) def = (σ, R)} is universal. Indeed, for (a, b) (a, b ), we have ))] Pr i [h i (a, b) = h i (a, b )] = Pr i [i (a a ) = ( 0 n 2v ( [(a ) 2 M(a ) a 2 M(a) ] v + b b If a = a then b b and the above equality cannot be satisfied; if a a, there is a unique i satisfying the equality. This proves universality. The rest of the proof proceeds as before. For (pre-application) robustness, fix arbitrary M and i (known to A) and proceed as before. The only difference is that we now need to compute the number of values of a for which [a 2 M(a) + ia a 2 M (a) i a] v = σ σ. () The crucial property is that the polynomial x 2 M(x) + ix x 2 M (x) i x is nonconstant if (M, i) (M, i ). A nonconstant polynomial of degree at most L + can take on a given value at most L + times; hence, there are at most (L + )2 n 2v values of a satisfying Eq. (). The probability that the adversary succeeds (in changing either i or M without being detected) is thus at most (L + ) 2 n v m. Note that the resulting forgery probability is affected only by a multiplicative factor of (L + ); since we expect (L + ) /δ in practice, the impact is small. 3.2 Adding Error-Tolerance (w w ) We now consider settings when the input w held by the second party is close, but not identical to, the input w used by the first party. An obvious first attempt is to include a secure sketch s = SS(w) along with (i, σ), and to authenticate s using the message-authentication technique discussed in the previous section; s would allow recovery of w from w, and then verification could proceed as before. Unfortunately, this does not quite work: if the adversary modifies the sketch s, then a different value w w may be recovered; however, the results of the previous section apply only when the receiver uses the same w as the sender. In effect, we have a circularity: the receiver uses w to verify that s was not modified, but the receiver computes w (from w ) using a possibly modified s. We show how to break this circularity using a modification of the message-authentication technique from earlier. The key idea is to exploit algebraic structure in the metric space, and to change the message authentication code so that it remains secure even when the adversary can influence the key (this is sometimes referred to as security against related-key attacks ; our approach was generalized in [2]). Specifically, we first treat the case where the distance between w and w is small in the Hamming metric; in Section we extend the approach to the set-difference metric. Another problem arises from the fact that the performance of our previous constructions degrades not only when the min-entropy m of the input decreases, but also when the entropy gap g = n m increases (for example, Theorem 3 can extract roughly m g bits with pre-application robustness). Because s reveals information about w, the entropy of w from the adversary s point of view decreases, and the entropy gap increases. An important idea is to limit this increase by using the (shorter) part of w that is independent of s., 5
16 3.2. Tolerating Binary Hamming Errors We begin by extending the construction presented at the beginning of Section 3. to tolerate binary hamming errors; we then extend the construction from Section 3... Our metric space is M = {0, } n and the distance between two strings is Hamming distance i.e., the number of bit positions in which they differ. Suppose the input W is a distribution of min-entropy m over M, and that w is guaranteed to be within distance t of w. Our starting point is to use a deterministic, linear, secure sketch s = SS(w) that is k bits long; let n = n k and note that H (W SS(W )) m k. We assume that SS is a surjective, linear function (this is the case for the syndrome sketch for the Hamming metric), and so there exists a k n matrix S of rank k such that SS(w) = S w. Let S be an n n matrix such that the n n matrix ( ) S S has full rank. We let SS (w) def = S w. One can view SS (w) as the information remaining in w once SS(w) has been learned by the adversary. We define Gen, Rep as follows. Gen, on input w, begins by computing s = SS(w) and c = SS (w). It then parses c {0, } n as two strings a, b with a = n v and b = v, where v n /2 (so k a b ) is a parameter of the construction. Letting L = 2 2(n v), it pads s with 0s to length L(n v) and parses the resulting string as s L s L 2 s 0 with s i GF 2 n v. It chooses random i GF 2 n v, and defines f s,i (x) = x L+3 + x 2 (s L x L + s L 2 x L s 0 ) + ix. Finally, it sets σ = [f s,i (a)] v + b, and outputs R = v [ia]n v+ and P = (s, i, σ). Rep, on inputs w and P = (s, i, σ ), first computes w = SRec(w, s ) {0, } n. It checks that dis(w, w ) t and SS(w ) = s ; if not, then it outputs. Otherwise, let c = SS (w ) and parse c as a b with a = n v and b = v. Check that σ = [f s,i (a )] v + b : if not, output ; otherwise output R = [i a ] n v v+. Before turning to the detailed analysis, we note that the polynomial f s,i defined above differs from the message-authentication technique in the previous section only in the leading term x L+3 (and the forcing of L to be even). It has the property that for any pair (s, i ) (s, i), and for any fixed offset a, the polynomial f s,i (x) f s,i (x + a) is a non-constant polynomial of degree at most L + 2: this is easy to see for a = 0; if a 0, then the leading term is a x L+2 (recall we are working in a field of characteristic 2 and L is even). Our analysis will show that f s,i (a) amounts to a message authentication code (where the shared key a is used to authenticate s, i) that is provably secure against a class of related-key attacks where the adversary can force the receiver to use a key shifted by an offset known to the adversary. Theorem 5 Let M denote {0, } n under the Hamming metric, let SS be the (m, m k, t)-secure syndrome sketch for M, and let B denote the volume of the ball of radius t in M. Fix v, and let l = n k 2v be the length of the extracted key. Then: For any ε, δ satisfying { l 2m n k 2 max log B + log 2m n k 2 max ( 2 k n k { log B + log 2n δ, 2 log ( }, ) log ( ) ( δ, 2 log ) } ε (Gen, Rep) is an (m, l, t, -fuzzy extractor for M with pre-application robustness δ. 6
Robust Fuzzy Extractors and Authenticated Key Agreement from Close Secrets
Robust Fuzzy Extractors and Authenticated Key Agreement from Close Secrets Yevgeniy Dodis, Bhavana Kanukurthi, Jonathan Katz, Leonid Reyzin, and Adam Smith Abstract Consider two parties holding samples
More informationBOSTON UNIVERSITY GRADUATE SCHOOL OF ARTS AND SCIENCES AN IMPROVED ROBUST FUZZY EXTRACTOR
BOSTON UNIVERSITY GRADUATE SCHOOL OF ARTS AND SCIENCES AN IMPROVED ROBUST FUZZY EXTRACTOR by BHAVANA KANUKURTHI B.E., Anna University, 2005 Submitted in partial fulfillment of the requirements for the
More informationDetection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors
Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors February 1, 2008 Ronald Cramer 1,2, Yevgeniy Dodis 3, Serge Fehr 2, Carles Padró 4, and Daniel Wichs
More informationFuzzy Extractors. May 7, 2007
Fuzzy Extractors Yevgeniy Dodis Leonid Reyzin Adam Smith May 7, 2007 1 Motivation This chapter presents a general approach for handling secret biometric data in cryptographic applications. The generality
More informationOn the Limitations of Computational Fuzzy Extractors
On the Limitations of Computational Fuzzy Extractors Kenji Yasunaga Kosuke Yuzawa March 15, 2018 Abstract We present a negative result of fuzzy extractors with computational security. Specifically, we
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationPERFECTLY secure key agreement has been studied recently
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 45, NO. 2, MARCH 1999 499 Unconditionally Secure Key Agreement the Intrinsic Conditional Information Ueli M. Maurer, Senior Member, IEEE, Stefan Wolf Abstract
More informationLecture 15: Privacy Amplification against Active Attackers
Randomness in Cryptography April 25, 2013 Lecture 15: Privacy Amplification against Active Attackers Lecturer: Yevgeniy Dodis Scribe: Travis Mayberry 1 Last Time Previously we showed that we could construct
More informationT Cryptography: Special Topics. February 24 th, Fuzzy Extractors: Generating Strong Keys From Noisy Data.
February 24 th, 2005 Fuzzy Extractors: Generating Strong Keys From Noisy Data Helsinki University of Technology mkivihar@cc.hut.fi 1 Overview Motivation and introduction Preliminaries and notation General
More informationarxiv: v2 [cs.cr] 8 Aug 2008
An Improved Robust Fuzzy Extractor Bhavana Kanukurthi and Leonid Reyzin Boston University Computer Science http://cs-people.bu.edu/bhavanak, http://www.cs.bu.edu/ reyzin arxiv:0807.0799v2 [cs.cr] 8 Aug
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationMinentropy and its Variations for Cryptography
1 Minentropy and its Variations for Cryptography Leonid Reyzin May 23, 2011 5 th International Conference on Information Theoretic Security 2 guessability and entropy Many ays to measure entropy If I ant
More informationPrivacy Amplification with Asymptotically Optimal Entropy Loss
Privacy Amplification with Asymptotically Optimal Entropy Loss ABSTRACT Nishanth Chandran Department of Computer Science UCLA nishanth@cs.ucla.edu Rafail Ostrovsky Department of Computer Science and Mathematics
More informationOn Achieving the Best of Both Worlds in Secure Multiparty Computation
On Achieving the Best of Both Worlds in Secure Multiparty Computation Yuval Ishai Jonathan Katz Eyal Kushilevitz Yehuda Lindell Erez Petrank Abstract Two settings are traditionally considered for secure
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationFuzzy Extractors and Cryptography, or How to Use Your Fingerprints
Fuzzy Extractors and Cryptography, or How to Use Your Fingerprints Yevgeniy Dodis. Leonid Reyzin Adam Smith November 11, 2003 Abstract We provide formal definitions and efficient secure techniques for
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationA Fuzzy Sketch with Trapdoor
A Fuzzy Sketch with Trapdoor Julien Bringer 1, Hervé Chabanne 1, Quoc Dung Do 2 1 SAGEM Défense Sécurité, 2 Ecole Polytechnique, ENST Paris. Abstract In 1999, Juels and Wattenberg introduce an effective
More informationASPECIAL case of the general key agreement scenario defined
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL 49, NO 4, APRIL 2003 839 Secret-Key Agreement Over Unauthenticated Public Channels Part III: Privacy Amplification Ueli Maurer, Fellow, IEEE, and Stefan Wolf
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationOn Perfect and Adaptive Security in Exposure-Resilient Cryptography. Yevgeniy Dodis, New York University Amit Sahai, Princeton Adam Smith, MIT
On Perfect and Adaptive Security in Exposure-Resilient Cryptography Yevgeniy Dodis, New York University Amit Sahai, Princeton Adam Smith, MIT 1 Problem: Partial Key Exposure Alice needs to store a cryptographic
More informationImpossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs
Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs Dafna Kidron Yehuda Lindell June 6, 2010 Abstract Universal composability and concurrent general composition
More informationBroadcast and Verifiable Secret Sharing: New Security Models and Round-Optimal Constructions
Broadcast and Verifiable Secret Sharing: New Security Models and Round-Optimal Constructions Dissertation submitted to the Faculty of the Graduate School of the University of Maryland, College Park in
More informationFuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data
Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data Yevgeniy Dodis Rafail Ostrovsky Leonid Reyzin Adam Smith November 11, 2005 Abstract We provide formal definitions and
More informationChapter 2 : Perfectly-Secret Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 2 : Perfectly-Secret Encryption 1 2.1 Definitions and Basic Properties We refer to probability
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationOn Extractors, Error-Correction and Hiding All Partial Information
On Extractors, Error-Correction and Hiding All Partial Information (Invited Paper) Yevgeniy Dodis Department of Computer Science New York University Email: dodis@cs.nyu.edu Abstract Randomness extractors
More information1 Indistinguishability for multiple encryptions
CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message
More informationProbabilistically Checkable Arguments
Probabilistically Checkable Arguments Yael Tauman Kalai Microsoft Research yael@microsoft.com Ran Raz Weizmann Institute of Science ran.raz@weizmann.ac.il Abstract We give a general reduction that converts
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il
More informationLectures One Way Permutations, Goldreich Levin Theorem, Commitments
Lectures 11 12 - One Way Permutations, Goldreich Levin Theorem, Commitments Boaz Barak March 10, 2010 From time immemorial, humanity has gotten frequent, often cruel, reminders that many things are easier
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationExtractors and the Leftover Hash Lemma
6.889 New Developments in Cryptography March 8, 2011 Extractors and the Leftover Hash Lemma Instructors: Shafi Goldwasser, Yael Kalai, Leo Reyzin, Boaz Barak, and Salil Vadhan Lecturer: Leo Reyzin Scribe:
More informationLecture Notes on Secret Sharing
COMS W4261: Introduction to Cryptography. Instructor: Prof. Tal Malkin Lecture Notes on Secret Sharing Abstract These are lecture notes from the first two lectures in Fall 2016, focusing on technical material
More informationOn Everlasting Security in the Hybrid Bounded Storage Model
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor Abstract The bounded storage model (BSM) bounds the storage space of an adversary rather than its running time. It utilizes
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationSecret-Key Agreement over Unauthenticated Public Channels Part I: Definitions and a Completeness Result
Secret-Key Agreement over Unauthenticated Public Channels Part I: Definitions and a Completeness Result Ueli Maurer, Fellow, IEEE Stefan Wolf Abstract This is the first part of a three-part paper on secret-key
More informationQuestion 1. The Chinese University of Hong Kong, Spring 2018
CSCI 5440: Cryptography The Chinese University of Hong Kong, Spring 2018 Homework 2 Solutions Question 1 Consider the following encryption algorithm based on the shortlwe assumption. The secret key is
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationLecture 13: Seed-Dependent Key Derivation
Randomness in Cryptography April 11, 2013 Lecture 13: Seed-Dependent Key Derivation Lecturer: Yevgeniy Dodis Scribe: Eric Miles In today s lecture, we study seeded key-derivation functions (KDFs) in the
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationFour-state Non-malleable Codes with Explicit Constant Rate
Four-state Non-malleable Codes with Explicit Constant Rate Bhavana Kanukurthi Sai Lakshmi Bhavana Obbattu Sruthi Sekar Indian Institute Of Science, Bangalore Abstract. Non-malleable codes (NMCs), introduced
More informationOn Expected Constant-Round Protocols for Byzantine Agreement
On Expected Constant-Round Protocols for Byzantine Agreement Jonathan Katz Chiu-Yuen Koo Abstract In a seminal paper, Feldman and Micali show an n-party Byzantine agreement protocol in the plain model
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 14 October 16, 2013 CPSC 467, Lecture 14 1/45 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationResource-efficient OT combiners with active security
Resource-efficient OT combiners with active security Ignacio Cascudo 1, Ivan Damgård 2, Oriol Farràs 3, and Samuel Ranellucci 4 1 Aalborg University, ignacio@math.aau.dk 2 Aarhus University, ivan@cs.au.dk
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More information5th March Unconditional Security of Quantum Key Distribution With Practical Devices. Hermen Jan Hupkes
5th March 2004 Unconditional Security of Quantum Key Distribution With Practical Devices Hermen Jan Hupkes The setting Alice wants to send a message to Bob. Channel is dangerous and vulnerable to attack.
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationCryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1
Cryptography CS 555 Topic 25: Quantum Crpytography CS555 Topic 25 1 Outline and Readings Outline: What is Identity Based Encryption Quantum cryptography Readings: CS555 Topic 25 2 Identity Based Encryption
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Solution Serge Vaudenay 29.1.2018 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationLecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko
CMSC 858K Advanced Topics in Cryptography February 26, 2004 Lecturer: Jonathan Katz Lecture 10 Scribe(s): Jeffrey Blank Chiu Yuen Koo Nikolai Yakovenko 1 Summary We had previously begun to analyze the
More informationNear-Optimal Secret Sharing and Error Correcting Codes in AC 0
Near-Optimal Secret Sharing and Error Correcting Codes in AC 0 Kuan Cheng Yuval Ishai Xin Li December 18, 2017 Abstract We study the question of minimizing the computational complexity of (robust) secret
More informationLecture 3,4: Multiparty Computation
CS 276 Cryptography January 26/28, 2016 Lecture 3,4: Multiparty Computation Instructor: Sanjam Garg Scribe: Joseph Hui 1 Constant-Round Multiparty Computation Last time we considered the GMW protocol,
More informationLecture 1. 1 Introduction. 2 Secret Sharing Schemes (SSS) G Exposure-Resilient Cryptography 17 January 2007
G22.3033-013 Exposure-Resilient Cryptography 17 January 2007 Lecturer: Yevgeniy Dodis Lecture 1 Scribe: Marisa Debowsky 1 Introduction The issue at hand in this course is key exposure: there s a secret
More informationprotocols such as protocols in quantum cryptography and secret-key agreement by public discussion [8]. Before we formalize the main problem considered
Privacy Amplication Secure Against Active Adversaries? Ueli Maurer Stefan Wolf Department of Computer Science Swiss Federal Institute of Technology (ETH Zurich) CH-8092 Zurich, Switzerland E-mail addresses:
More informationSecure Identification and QKD in the Bounded-Quantum-Storage Model
Secure Identification and QKD in the Bounded-Quantum-Storage Model Ivan B. Damgård 1, Serge Fehr 2, Louis Salvail 1, and Christian Schaffner 2 1 BRICS, FICS, Aarhus University, Denmark {ivan salvail}@brics.dk
More informationLecture 2: Perfect Secrecy and its Limitations
CS 4501-6501 Topics in Cryptography 26 Jan 2018 Lecture 2: Perfect Secrecy and its Limitations Lecturer: Mohammad Mahmoody Scribe: Mohammad Mahmoody 1 Introduction Last time, we informally defined encryption
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationOn the Randomness Requirements for Privacy
On the Randomness Requirements for Privacy by Carl Bosley A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy Department of Computer Science New York
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationSession-Key Generation using Human Passwords Only
Session-Key Generation using Human Passwords Only Oded Goldreich Department of Computer Science Weizmann Institute of Science Rehovot, Israel. oded@wisdom.weizmann.ac.il Yehuda Lindell Department of Computer
More informationDetection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors
Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer 1,2, Yevgeniy Dodis 3, Serge Fehr 2, Carles Padró 4, and Daniel Wichs 3 1 Mathematical
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 29.1.2018 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Announcements Reminder: Homework 1 due tomorrow 11:59pm Submit through Blackboard Homework 2 will hopefully be posted tonight
More informationSecure Sketch for Multi-Sets
Secure Sketch for Multi-Sets Ee-Chien Chang Vadym Fedyukovych Qiming Li March 15, 2006 Abstract Given the original set X where X = s, a sketch P is computed from X and made public. From another set Y where
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationNon-Malleable Extractors with Shorter Seeds and Their Applications
Non-Malleable Extractors with Shorter Seeds and Their Applications Yanqing Yao 1, and Zhoujun Li 1, 1 School of Computer Science and Engineering, Beihang University, Beijing, China Beijing Key Laboratory
More informationCS Communication Complexity: Applications and New Directions
CS 2429 - Communication Complexity: Applications and New Directions Lecturer: Toniann Pitassi 1 Introduction In this course we will define the basic two-party model of communication, as introduced in the
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationTHE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY
THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY Mark Zhandry - Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical
More informationLecture 3: Randomness in Computation
Great Ideas in Theoretical Computer Science Summer 2013 Lecture 3: Randomness in Computation Lecturer: Kurt Mehlhorn & He Sun Randomness is one of basic resources and appears everywhere. In computer science,
More informationEssentially Optimal Robust Secret Sharing with Maximal Corruptions
Essentially Optimal Robust Secret Sharing with Maximal Corruptions Allison Bishop 1, Valerio Pastro 1, Rajmohan Rajaraman 2, and Daniel Wichs 2 1 Columbia University 2 Northeastern University November
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationLecture 3: Lower bound on statistically secure encryption, extractors
CS 7880 Graduate Cryptography September, 015 Lecture 3: Lower bound on statistically secure encryption, extractors Lecturer: Daniel Wichs Scribe: Giorgos Zirdelis 1 Topics Covered Statistical Secrecy Randomness
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationLecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations
CMSC 858K Advanced Topics in Cryptography April 20, 2004 Lecturer: Jonathan Katz Lecture 22 Scribe(s): agaraj Anthapadmanabhan, Ji Sun Shin 1 Introduction to These otes In the previous lectures, we saw
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationOutline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3
Outline Computer Science 48 More on Perfect Secrecy, One-Time Pad, Mike Jacobson Department of Computer Science University of Calgary Week 3 2 3 Mike Jacobson (University of Calgary) Computer Science 48
More informationb = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.
INTRODUCTION TO CRYPTOGRAPHY 5. Discrete Logarithms Recall the classical logarithm for real numbers: If we write b = 10 a, then a = log 10 b is the logarithm of b to the base 10. Changing the base to e
More informationA Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes
A Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes Stefan Dziembowski Department of Computer Science University of Rome, La Sapienza Abstract. Forward-Secure Storage
More informationRound-Efficient Multi-party Computation with a Dishonest Majority
Round-Efficient Multi-party Computation with a Dishonest Majority Jonathan Katz, U. Maryland Rafail Ostrovsky, Telcordia Adam Smith, MIT Longer version on http://theory.lcs.mit.edu/~asmith 1 Multi-party
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More information